RE: [PHP] Question: Validation on select boxes and lists.
I just remembered something (smacks myself in the head) In both my multi select and select menus I use dynamic options (meaning the options available come from a table. So: Table for states would look like this: +--+---+ | StateID | State [Label| +--+---+ | 1 |Arkansas | +--+---+ | 2 |Alabama| +--+---+ | 3 +Arizona| +--+---+ What gets stored in the database is the StateID, the column is an int. My understanding is the database just won't accept anything but an int. I mean I'm jamming on my keys now and the only thing the column will take is a real number. Based on this I think a hacker can do whatever they want by saving the page and altering the input but all it would do is fail on insertion. This make sense ? And I'm not trying to be lazy here , only practical. Of course, should I still be polite to hackers by still testing for invalid characters :) Stuart --- Graham Cossey [EMAIL PROTECTED] wrote: [snip] How would a hacker pass an HTTP message ? That is interesting. read the off-list posted message from [EMAIL PROTECTED] (reproduced below for the benefit of other list members) Graham -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Question: Validation on select boxes and lists.
Stuart Felenstein wrote: I just remembered something (smacks myself in the head) In both my multi select and select menus I use dynamic options (meaning the options available come from a table. So: Table for states would look like this: +--+---+ | StateID | State [Label| +--+---+ | 1 |Arkansas | +--+---+ | 2 |Alabama| +--+---+ | 3 +Arizona| +--+---+ What gets stored in the database is the StateID, the column is an int. My understanding is the database just won't accept anything but an int. I mean I'm jamming on my keys now and the only thing the column will take is a real number. Based on this I think a hacker can do whatever they want by saving the page and altering the input but all it would do is fail on insertion. This make sense ? Yes, this makes sense, it's a commonly used technique aswell =/ And I'm not trying to be lazy here , only practical. Of course, should I still be polite to hackers by still testing for invalid characters :) Stuart --- Graham Cossey [EMAIL PROTECTED] wrote: [snip] How would a hacker pass an HTTP message ? That is interesting. read the off-list posted message from [EMAIL PROTECTED] (reproduced below for the benefit of other list members) Graham -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Question: Validation on select boxes and lists.
Hope this is not off topic, and it might be a dumb question, but I'm new. For drop down menus, list boxes, selects etc, would validation be needed to check the string , say for special characters ? (as a security precaution) Thank Stuart -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: Validation on select boxes and lists.
[snip] Hope this is not off topic, and it might be a dumb question, but I'm new. For drop down menus, list boxes, selects etc, would validation be needed to check the string , say for special characters ? (as a security precaution) I have read several posts/articles on this matter and although the actual HTML form will only pass the values available, it is possible for a hacker to compose an HTTP 'message' with data other than that provided by the HTML form. So, validation is advisable. A site that I would highly recommend as it has enlightened me on several topics is: www.shiflett.org Graham -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: Validation on select boxes and lists.
Graham, Thank you. Actually , you suggested this site to me the other day and it's great! I have read through a number of documents and have a few more to get through. How would a hacker pass an HTTP message ? That is interesting. Stuart --- Graham Cossey [EMAIL PROTECTED] wrote: [snip] Hope this is not off topic, and it might be a dumb question, but I'm new. For drop down menus, list boxes, selects etc, would validation be needed to check the string , say for special characters ? (as a security precaution) I have read several posts/articles on this matter and although the actual HTML form will only pass the values available, it is possible for a hacker to compose an HTTP 'message' with data other than that provided by the HTML form. So, validation is advisable. A site that I would highly recommend as it has enlightened me on several topics is: www.shiflett.org Graham -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Question: Validation on select boxes and lists.
[snip] How would a hacker pass an HTTP message ? That is interesting. read the off-list posted message from [EMAIL PROTECTED] (reproduced below for the benefit of other list members) Graham -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 21 October 2004 23:07 To: Graham Cossey; Stuart Felenstein Subject: RE: [PHP] Question: Validation on select boxes and lists. you have to remember that the user isn't really filling in a form on your site, rather they are retrieving a page from your site, storing it on their machine (most times temporarily in their browser) and then sending it back to your site. if you think of it in the latter manner you'll realized that while they have it on their machine, the user can save and edit the form to meet their desires before sending it back. as such, *all* data input, (whether from a text area, pulldown, checkbox, or radio button) should be validated on your side. an amusing thing to do is to find a site/page that puts prices as the values on say a pulldown or checkbox. edit these values to something more to your liking and then submit the form. you could end up being charged your price of choice, rather than what the site thought they were going to charge you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php